Kyle and Stan Malvertising Network Now Nine Times Larger

The malvertising network dubbed “Kyle and Stan” by Cisco researchers earlier this month is at least nine times bigger than first thought, according to the network giant.

One of the authors of the original blog, Armin Pelkmann, revealed in a new post that his team has now isolated 6,491 malicious domains sharing the same infrastructure, over nine times the number of the previously stated 703.

“We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed,” he added.

“The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.”

The attack infrastructure dates back to January 2012, with some domains such as kyle.mxp677.com, stan.mxp681.com and lpmxp47.com having a relatively short lifespan before they are replaced, while others – like megashre.info or file36.com – are used for longer periods.

“Noteworthy is that the popular domain www.winrar.com is also part of these attackers' network. The website is built to fool visitors into believing they are installing the popular compression tool WinRar, but instead they are downloading malware,” explained Pelkmann.

“This website exhibits a significant traffic load and is a good example on how the attackers behind this network are trying to fool users into installing their malware.”

Many of the malicious domains associated with the malvertising network appear to be hosted in Spain, although this doesn’t necessarily indicate that the 'masterminds' behind the campaign are based there, he cautioned.

Kyle and Stan was designed to infect Windows and Mac users and has already been detected on popular domains such as amazon.com, ads.yahoo.com and youtube.com.

Spyware, adware and browser hijackers are just some of the malicious payloads discovered by researchers.

The attackers behind the campaign have helped avoid detection by ensuring malware droppers have “clever techniques and encryption” to ensure unique checksums, while the use of domains for only a short time helps to bypass reputation and blacklist-based security systems.

What’s Hot on Infosecurity Magazine?